---
title: Rules
url: https://docs.vultr.com/products/network/firewall-groups/management/rules
description: Define network security policies that control inbound and outbound traffic to your Vultr resources.
publish_date: 2024-09-23T20:22:00.109661Z
last_updated: 2026-05-26T20:06:43.990741Z
---

# How to Create Vultr Firewall Rules

Vultr Firewall rules enable traffic filtering using port numbers and source IP addresses for incoming network requests. A Vultr Firewall group contains multiple rules that define specific the flow of network traffic to attached instances.

Follow this guide to create Vultr Firewall rules using the Vultr Console, API, CLI, or Terraform.

=== "Vultr Console"

    1. Navigate to **Products**, expand the **Network** drop-down and select **Firewall** from the list of options.
    1. Select your target firewall group to manage it.
    1. Click your target network type on the left navigation menu to modify the incoming traffic rules.
    1. Click the **Protocol** drop-down to select a common network application profile or choose **Custom** from the list and enter your target network port in the **Port (or range)** field.
    1. Click the **Source** drop-down, select your traffic source and enter the target source IP address.
    1. Click **Add note** and enter a descriptive label to identify the new firewall rule.
    1. Click **Add Firewall Rule** within the **Action** section to apply the new rule to your firewall group.

=== "Vultr API"

    1. Send a `GET` request to the [**List Firewall Groups** endpoint](https://www.vultr.com/api/#tag/firewall/operation/list-firewall-groups) and note the target firewall group ID in your output.

        ```console
        $ curl "https://api.vultr.com/v2/firewalls" \
          -X GET \
          -H "Authorization: Bearer ${VULTR_API_KEY}"
        ```

    1. Send a `GET` request to the [**List Firewall Rules** endpoint](https://www.vultr.com/api/#tag/firewall/operation/list-firewall-group-rules) to view all active rules in the firewall group.

        ```console
        $ curl "https://api.vultr.com/v2/firewalls/{firewall-group-id}/rules" \
           -X GET \
           -H "Authorization: Bearer ${VULTR_API_KEY}"
        ```

    1. Send a `POST` request to the [**Create Firewall Rules** endpoint](https://www.vultr.com/api/#tag/firewall/operation/post-firewalls-firewall-group-id-rules) to create a new rule in the firewall group.

        ```console
        $ curl "https://api.vultr.com/v2/firewalls/{firewall-group-id}/rules" \
           -X POST \
           -H "Authorization: Bearer ${VULTR_API_KEY}" \
           -H "Content-Type: application/json" \
           --data '{
             "ip_type" : "<network-type>",
             "protocol" : "<protocol>",
             "port" : "<target-instance-port>",
             "source" : "<source-address>",
             "notes" : "<label>"
           }'
        ```

        Visit the [**List Firewall Rules** API page](https://www.vultr.com/api/#tag/firewall/operation/post-firewalls-firewall-group-id-rules) to view additional attributes to apply on the firewall rule.

=== "Vultr CLI"

    1. List all firewall groups in your Vultr account and note the target firewall group ID.

        ```console
        $ vultr-cli firewall group list
        ```

    1. List all rules in the firewall group.

        ```console
        $ vultr-cli firewall rule list <firewall-group-id>
        ```

    1. Create a new firewall rule.

        ```console
        $ vultr-cli firewall rule create --id=<firewall-group-id> --ip-type=<network-type> --protocol=<protocol> --source=<source-address> --port=<target-instance-port>
        ```
        
        Run `vultr-cli firewall rule create --help` to view additional options to apply on the firewall rule.

=== "Terraform"

    1. Open your Terraform configuration for the existing Firewall group.

    1. Add a `vultr_firewall_rule` for that group, then apply.

        ```terraform
        resource "vultr_firewall_rule" "allow_ssh" {
            firewall_group_id = var.firewall_group_id
            protocol          = "tcp"
            port              = "22"
            ip_type           = "v4"
            subnet            = "0.0.0.0"
            subnet_size       = 0
            notes             = "Allow SSH"
        }
        ```

    1. Apply the configuration and observe the following output:

        ```
        Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
        ```